7/29/2019 Lecture Notes 12 Fall 2010

1/48

Inside the Orange Book

SYCS 653 Fall 2010

Lecture 12 Notes

Wayne Patterson

7/29/2019 Lecture Notes 12 Fall 2010

2/48

Orange Book If youre at all interested in computer

security, youll need to know somethingabout the Orange Book. As more

organizations become security-conscious,as more vendors develop secure systemsand products, and as more governmentrequisitions stipulate that equipment

purchases be tied to Orange Bookcertification, theres more of a need tounderstand the Orange Book.

7/29/2019 Lecture Notes 12 Fall 2010

3/48

References

References: The entire series of publications oncomputer security standards known as theRainbow Series Library is on the web, throughthe National Computer Security Center (NCSC).The URL for the entire series is:

http://www.radium.ncsc.mil/tpep/library/rainbow/

and in particular for the Orange Book (available

also in text, PostScript, or PDF format): http://www.radium.ncsc.mil/tpep/library/rainbow/

5200.28-STD.html

http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html

7/29/2019 Lecture Notes 12 Fall 2010

4/48

Rainbow Series Library

Rainbow Series Library

Document Format Information

5200.28-STD DoD Trusted Computer System Evaluation Criteria, 26 December 1985

(Supercedes CSC-STD-001-83, dtd 15 Aug 83). (Orange Book)

CSC-STD-002-85 DoD Password Management Guideline, 12 April 1985. (Green Book)

CSC-STD-003-85 Computer Security Requirements -- Guidance for Applying the DoD

TCSEC in Specific Environments, 25 June 1985 (Light Yellow Book)

CSC-STD-004-85

Technical Rational Behind CSC-STD-003-85: Computer SecurityRequirements -- Guidance for Applying the DoD TCSEC in SpecificEnvironments, 25 June 1985. (Yellow Book)

http://www.radium.ncsc.mil/tpep/library/rainbow/index.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-004-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-003-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/CSC-STD-002-85.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/index.html

7/29/2019 Lecture Notes 12 Fall 2010

5/48

Rainbow Series Library

NTISSAM COMPUSEC/1-87Advisory Memorandum on Office Automation Security

Guidelines

NCSC-TG-001 Ver. 2A Guide to Understanding Audit in Trusted Systems 1 June

1988, Version 2. (Tan Book) NCSC-TG-002

Trusted Product Evaluations - A Guide for Vendors, 22 June1990. (Bright Blue Book)see also TPEP Procedures which superceedes parts of thisdocument.

NCSC-TG-003A Guide to Understanding Discretionary Access Control in

Trusted Systems, 30 September 1987. (Neon Orange Book)

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/process/procedures.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-003.htmlhttp://www.radium.ncsc.mil/tpep/process/procedures.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-002.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-001-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/N-C-1-87.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/N-C-1-87.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/N-C-1-87.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/N-C-1-87.txt

7/29/2019 Lecture Notes 12 Fall 2010

6/48

Rainbow Series Library

NCSC-TG-004Glossary of Computer Security Terms, 21 October 1988. (Teal

Green Book) (NCSC-WA-001-85 is obsolete)

NCSC-TG-005 Trusted Network Interpretation of the TCSEC (TNI), 31 July

1987. (Red Book) NCSC-TG-006

A Guide to Understanding Configuration Management in TrustedSystems, 28 March 1988. (Amber Book)

NCSC-TG-007

A Guide to Understanding Design Documentation in TrustedSystems, 6 October 1988. (Burgundy Book)see also Process Guidelines for Design Documentation whichmay supercede parts of this document.

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/process_documents/index.htmlhttp://www.radium.ncsc.mil/tpep/library/process_documents/index.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-007.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-006.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-005.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-004.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-004.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-004.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-004.txt

7/29/2019 Lecture Notes 12 Fall 2010

7/48

Rainbow Series Library

NCSC-TG-008A Guide to Understanding Trusted Distribution in Trusted

Systems 15 December 1988. (Dark Lavender Book)

NCSC-TG-009 Computer Security Subsystem Interpretation of the TCSEC 16

September 1988. (Venice Blue Book) NCSC-TG-010

A Guide to Understanding Security Modeling in TrustedSystems, October 1992. (Aqua Book)

NCSC-TG-011

Trusted Network Interpretation Environments Guideline -Guidance for Applying the TNI, 1 August 1990. (Red Book)

NCSC-TG-013 Ver.2 RAMP Program Document, 1 March 1995, Version 2 (Pink Book)

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-013.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-011.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-010.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-010.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-010.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-010.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-009.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-008.html

7/29/2019 Lecture Notes 12 Fall 2010

8/48

Rainbow Series Library

NCSC-TG-014 Guidelines for Formal Verification Systems, 1 April 1989. (Purple Book)

NCSC-TG-015A Guide to Understanding Trusted Facility Management, 18 October

1989 (Brown Book)

NCSC-TG-016 Guidelines for Writing Trusted Facility Manuals, October 1992. (Yellow-

Green Book)

NCSC-TG-017A Guide to Understanding Identification and Authentication in Trusted

Systems, September 1991. (Light Blue Book)

NCSC-TG-018A Guide to Understanding Object Reuse in Trusted Systems, July 1992.

(Light Blue Book)

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-018.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-017.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-016.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-015.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-014.html

7/29/2019 Lecture Notes 12 Fall 2010

9/48

Rainbow Series Library

NCSC-TG-019 Ver. 2 Trusted Product Evaluation Questionaire, 2 May 1992, Version 2. (Blue

Book)

NCSC-TG-020-A Trusted UNIX Working Group (TRUSIX) Rationale for Selecting Access

Control List Features for the UNIX System, 7 July 1989. (Silver Book)

NCSC-TG-021 Trusted Database Management System Interpretation of the TCSEC

(TDI), April 1991. (Purple Book)

NCSC-TG-022A Guide to Understanding Trusted Recovery in Trusted Systems, 30

December 1991. (Yellow Book)

NCSC-TG-023A Guide to Understanding Security Testing and Test Documentation in

Trusted Systems (Bright Orange Book)see also Process Guidelines for Test Documentation which maysupercede parts of this document.

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/process_documents/index.htmlhttp://www.radium.ncsc.mil/tpep/library/process_documents/index.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-023.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-023.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-023.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-023.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-022.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-021.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-020-A.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-019.2.html

7/29/2019 Lecture Notes 12 Fall 2010

10/48

Rainbow Series Library

NCSC-TG-024 Vol. 1/4 A Guide to Procurement of Trusted Systems: An Introduction to Procurement

Initiators on Computer Security Requirements, December 1992. (Purple Book)

NCSC-TG-024 Vol. 2/4 A Guide to Procurement of Trusted Systems: Language for RFP Specifications

and Statements of Work - An Aid to Procurement Initiators, 30 June 1993.(Purple Book)

NCSC-TG-024 Vol. 3/4 A Guide to Procurement of Trusted Systems: Computer Security Contract Data

Requirements List and Data Item Description Tutorial, 28 February 1994. (PurpleBook)

NCSC-TG-024 Vol. 4/4 A Guide to Procurement of Trusted Systems: How to Evaluate a Bidder's

Proposal Document - An Aid to Procurement Initiators and Contractors (PurpleBook) (publication TBA)

NCSC-TG-025 Ver. 2 A Guide to Understanding Data Remanence in Automated Information Systems,

September 1991, Version 2, (Supercedes CSC-STD-005-85). (Forest GreenBook)

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-025.2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-3.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-2.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-024-1.html

7/29/2019 Lecture Notes 12 Fall 2010

11/48

Rainbow Series Library

NCSC-TG-026A Guide to Writing the Security Features User's Guide for Trusted

Systems, September 1991. (Hot Peach Book)

NCSC-TG-027A Guide to Understanding Information System Security Officer

Responsibilities for Automated Information Systems, May 1992.(Turquoise Book)

NCSC-TG-028Assessing Controlled Access Protection, 25 May 1992. (Violet Book)

NCSC-TG-029 Introduction to Certification and Accreditation Concepts, January 1994.

(Blue Book)

NCSC-TG-030A Guide to Understanding Covert Channel Analysis of Trusted Systems,

November 1993. (Light Pink Book)

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-030.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-029.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-029.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-029.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-029.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-028.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-028.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-028.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-028.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-027.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TG-026.html

7/29/2019 Lecture Notes 12 Fall 2010

12/48

Rainbow Series Library

Other NCSC Publ icat ions

C1 Technical Report 001 Technical Report, Computer Viruses: Prevention, Detection, and

Treatment, 12 March 1990

C Technical Report 79-91 Technical Report, Integrity in Automated Information Systems,

September 1991.

C Technical Report 32-92 The Design and Evaluation of INFOSEC systems: The Computer

Security Contribution to the Composition Discussion, June 1992.

C Technical Report 111-91 Integrity-Oriented Control Objectives: Proposed Revisions to the

TCSEC, October 1991.

http://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-111-91.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-111-91.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-111-91.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-111-91.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-32-92.htmlhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/C-TR-79-91.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/C1-TR-001.html

7/29/2019 Lecture Notes 12 Fall 2010

13/48

Rainbow Series Library

NCSC Technical Report 002Use of the TCSEC for Complex, Evolving, Mulitpolicy

Systems

NCSC Technical Report 003Turning Multiple Evaluated Products Into Trusted

Systems

NCSC Technical Report 004A Guide to Procurement of Single Connected Systems -

Language for RFP Specifications and Statements ofWork - An Aid to Procurement Initiators - IncludesComplex, Evolving, and Multipolicy Systems

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-004.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-004.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-004.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-004.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-003.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-003.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-003.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-003.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-002.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-002.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-002.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-002.txt

7/29/2019 Lecture Notes 12 Fall 2010

14/48

Rainbow Series Library

NCSC Technical Report 005 Volume 1/5 Inference and Aggregation Issues In Secure Database

Management Systems

NCSC Technical Report 005 Volume 2/5 Entity and Referential Integrity Issues In Multilevel Secure

Database Management NCSC Technical Report 005 Volume 3/5

Polyinstantiation Issues In Multilevel Secure DatabaseManagement Systems

NCSC Technical Report 005 Volume 4/5

Auditing Issues In Secure Database Management Systems NCSC Technical Report 005 Volume 5/5

Discretionary Access Control Issues In High Assurance SecureDatabase Management Systems

http://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-5.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-5.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-5.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-5.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-4.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-4.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-4.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-4.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-3.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-3.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-3.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-3.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-2.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-2.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-2.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-2.txthttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-1.ps.gzhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-1.pdfhttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-1.pshttp://www.radium.ncsc.mil/tpep/library/rainbow/NCSC-TR-005-1.txt

7/29/2019 Lecture Notes 12 Fall 2010

15/48

Four Divisions

The Orange Book defines four broadhierarchical divisions of securityprotection. In increasing order of trust,

they are:

D Minimal security

C Discretionary protection

B Mandatory protection

A Verified protection

7/29/2019 Lecture Notes 12 Fall 2010

16/48

Numbered Classes

Each division consists of one or more

numbered classes, with higher numbers

indicating a higher degree of security. For

example, division C contains two distinctclasses (C2 offers more security than C1);

division B contains three classes ( B3 > B2

> B1 ); division A currently contains onlyone class.

7/29/2019 Lecture Notes 12 Fall 2010

17/48

Criteria

Each class is defined by a specific set of

criteria that a system must be awarded a

rating in that class. The criteria fall into

four general categories: security policy,accountability, assurance, and

documentation.

7/29/2019 Lecture Notes 12 Fall 2010

18/48

Measurement

The evaluation criteria for the Orange Book were

developed with three basic objectives:

Measurement: To provide users with a metric

with which to assess the degree of trust that canbe placed in computer systems for the secure

processing of classified or other sensitive

information. For example, a user can rely on a

B2 system to be more secure than a C2system.

7/29/2019 Lecture Notes 12 Fall 2010

19/48

Guidance

Guidance: To provide guidance to

manufacturers as to what to build into their

trusted commercial products to satisfy

trust requirements for sensitiveapplications.

7/29/2019 Lecture Notes 12 Fall 2010

20/48

Acquisition

Acquisition: To provide a basis for specifying

security requirements in acquisition

specifications. Rather than specifying a hodge-

podge of security requirements, and havingvendors respond in piecemeal fashion, the

Orange Book provides a clear way of specifying

a coordinated set of security functions. A

customer can be confident that the system he orshe acquires has already been checked out for

the needed degree of security.

7/29/2019 Lecture Notes 12 Fall 2010

21/48

Whats a Trusted System?

The Orange Book defines it as:

A system that employs sufficient hardware

and software integrity measures to allow

its use for processing simultaneously a

range of sensitive or classified information.

7/29/2019 Lecture Notes 12 Fall 2010

22/48

Measu r ing Trus t

How does the Orange Book measure

trust? The book approaches security from

two perspectives:

7/29/2019 Lecture Notes 12 Fall 2010

23/48

Security Policy

A security policy states the rules enforced by a

systems security features; e.g. the rules

governing whether a particular user is allowed to

access a particular piece of information.Obviously, there are more security features in a

highly secure system (B1 or higher) than in a

less secure system (say, C1 or C2), although at

the highest levels there are actually fewdifferences in security features. Instead there is

more assurance.

7/29/2019 Lecture Notes 12 Fall 2010

24/48

Assurance

Assurance is the trust that can be placed in a

system, and the trusted ways the system can be

proven to have been developed, tested,documented, maintained and delivered to a

customer. At the higher levels of security, there

are few changes in security features, but a

definite increase in the degree of assurance auser can place in the systems architecture and

security policies.

7/29/2019 Lecture Notes 12 Fall 2010

25/48

Assurance

As the Orange Book puts it, assurance begins [at thelowest class] with an operable access controlmechanism and ends [at the highest class] with amechanism that a clever and determined user cannot

circumvent.In the lower classes (C1, C2, B1) assuranceof correct and complete design and implementation isgained mostly through testing of the security-relevantportions of the system. In the higher classes (B2, B3,and A1), assurance is derived more from system design

and implementation and, at the highest level (A1 only)from formal verification tools. Assurance is described indetail later in this lecture.

7/29/2019 Lecture Notes 12 Fall 2010

26/48

Trusted Compu t ing Base

The concept of the trusted computing base

(TCB) is central to the notion of a trusted

system. The Orange Book uses the term

TCB to refer to the mechanisms thatenforce security in a system. The book

defines the TCB as follows:

7/29/2019 Lecture Notes 12 Fall 2010

27/48

Trusted Compu t ing Base

The totality of protection mechanisms within acomputer system -- including hardware,firmware, and software -- the combination ofwhich is responsible for enforcing a security

policy. A TCB consists of one or morecomponents that together enforce a unifiedsecurity policy over a product or system. Theability of a trusted computing base to correctlyenforce a security policy depends solely on the

mechanisms within the TCB and on the correctinput by system administrative personnel of

parameters (e.g., a user's clearance) related tothe security policy.

7/29/2019 Lecture Notes 12 Fall 2010

28/48

Defining the TCB

Not every part of an operating system

needs to be trusted. An important part of

an evaluation of a computer system is to

identify the architecture, assurancemechanisms, and security features that

comprise the TCB, and to show how the

TCB is protected from interference andtampering.

7/29/2019 Lecture Notes 12 Fall 2010

29/48

Reference Monitor

A reference monitor is a concept that enforces theauthorized access relationships between subjects andobjects of a system. James Anderson, the developer ofthis concept, lists three design requirements that must

be met by a reference monitor mechanism: Isolation: the reference monitor must be tamperproof.

Completeness: the reference monitor must be invokedfor every access decision, and must be impossible tobypass.

Verifiability: the reference monitor must be small enoughto be able to be analyzed and tested, and it must bepossible to ensure that the testing is complete.

7/29/2019 Lecture Notes 12 Fall 2010

30/48

Secu ri ty Pol icy

A security policy is the set of rules and practices

that regulate how an organization manages,

protects, and distributes sensitive information. A

security policy is typically stated in terms ofsubjects and objects. A subject is something

active in the system; examples are users,

processes, and programs. An object is

something that a subject acts upon; examples ofobjects are files, directories, devices, sockets,

and windows.

7/29/2019 Lecture Notes 12 Fall 2010

31/48

Secu ri ty Pol icy

The Orange Book defines a security policy

as follows:

The set of laws, rules, and practices that

regulate how an organization manages,

protects, and distributes sensitive

information.

7/29/2019 Lecture Notes 12 Fall 2010

32/48

Policy --- Informal or Formal

At the lower levels of trust (C1, C2, B1) an

informally stated policy is acceptable. At

the higher levels of trust (B2, B3, A1), a

formally stated, mathematically precisepolicy is required.

7/29/2019 Lecture Notes 12 Fall 2010

33/48

Secu ri ty Model

A security model expresses a systems security

requirements precisely and without confusion.

The Orange Book criteria are based on the

state-machine model developed by David Belland Leonard LaPadula in 1973. This is the first

mathematical model of a multi-level secure

computer system. The Orange Book describes

the Bell-LaPadula model as follows:

7/29/2019 Lecture Notes 12 Fall 2010

34/48

Bell-LaPadula

A formal state transition model of computer security policy thatdescribes a set of access control rules. In this formal model, theentities in a computer system are divided into abstract sets ofsubjects and objects. The notion of a secure state is defined and itis proven that each state transition preserves security by movingfrom secure state to secure state; thus, inductively proving that the

system is secure. A system state is defined to be "secure" if theonly permitted access modes of subjects to objects are inaccordance with a specific security policy. In order to determinewhether or not a specific access mode is allowed, the clearance of asubject is compared to the classification of the object and adetermination is made as to whether the subject is authorized for thespecific access mode. The clearance/classification scheme is

expressed in terms of a lattice.

7/29/2019 Lecture Notes 12 Fall 2010

35/48

Secu ri ty Kernel

A security kernel, a concept developed byRoger Schell in 1972 (or was it a securityshell developed by Colonel Rogers?) is

the operating system mechanism thatactually implements the reference monitorconcept. The security kernel is the heart ofthe TCB --- the resource in the computing

system that supervises all system activityin according with the systems securitypolicy.

7/29/2019 Lecture Notes 12 Fall 2010

36/48

Simplicity

Simplicity is a very important characteristic

of the TCB. As the Orange Book puts it,

the TCB should be as simple as possible,

consistent with the functions it has toperform.

7/29/2019 Lecture Notes 12 Fall 2010

37/48

Secu ri ty Perimeter

The security kernel, as well as othersecurity-related system functions, lieswithin the imaginary boundary of the TCB

known as the security perimeter. In highlytrusted systems, the TCB must bedesigned and implemented in such a waythat system elements included in it are

designed to perform security functions,while those elements excluded from theTCB need not be trusted.

7/29/2019 Lecture Notes 12 Fall 2010

38/48

Orange Book Evaluat ion Classes

Class, Name, Examples

D: Minimal security

None. Reserved for systems that are submitted

to evaluation but fail. Basic operating systems

for personal computers such as Windows, Mac,and MS-DOS would probably fall into this

category if they were evaluated.

7/29/2019 Lecture Notes 12 Fall 2010

39/48

C1

C1: Discretionary security protection

IBM: MVS/RACFAlthough ordinary UNIX

systems have not been submitted for formal

evaluation, many people feel that such systems

would get a C1.

7/29/2019 Lecture Notes 12 Fall 2010

40/48

C2

C2: Controlled access protection

Computer Associates International: ACF2/MVS

DEC: VAX/VMS 4.5

Gould: UTX/32SHewlett-Packard MPE V/E

Wang Labs: SVS/OS CAP 1.0

7/29/2019 Lecture Notes 12 Fall 2010

41/48

B1

B1: Labeled security protection

AT&T: System V/MLS

IBM: MVS/ESA

SecureWare: CMW+

UNISYS: OS 1100

7/29/2019 Lecture Notes 12 Fall 2010

42/48

B2

B2: Structured protection

Honeywell Information Systems: Multics

Trusted Information Systems: Trusted XENIX

7/29/2019 Lecture Notes 12 Fall 2010

43/48

B3

B3: Security domains

Honeywell Federal Systems: XTS-200

7/29/2019 Lecture Notes 12 Fall 2010

44/48

A1

A1: Verified design

Honeywell Information Systems: SCOMP

Boeing Aerospace: SNS

7/29/2019 Lecture Notes 12 Fall 2010

45/48

Complain ts About the Orange Book

Here are some of the main claims about the inadequacies of Orange: The Orange Book model works only in a government classified

environment, and the higher levels of security arent appropriate for theprotection of commercial data, where data integrity is the chief concern.

The Orange Book focuses on only one aspect of security --- secrecy ---

while paying little attention to the principles of accuracy, availability, andauthenticity.

The Orange Book emphasizes protection from unauthorized access, whilemost security attacks actually involve insiders.

The Orange Book doesnt address networking issues. (But the Red Bookdoes.)

The Orange Book contains a relatively small number of security ratings. A

system that offers a subset of Orange Book security features, plus somevery strong features in other areas not addressed by the Orange Book (forexample, integrity) wouldnt fit into any of the current ratings.

7/29/2019 Lecture Notes 12 Fall 2010

46/48

C1 C2 B1 B2 B3 A1

Discretionary Access Control SP

Object Reuse

Labels

Label Integrity

Exportation of Labeled Information

Exportation of Multilevel Devices

Exportation of Single-Level Devices

Labeling Human-Readable Output

Mandatory Access Control

Subject Sensitivity Labels

Device Labels

Identification and Authentication AC

7/29/2019 Lecture Notes 12 Fall 2010

47/48

The Rainbow Series and Other

Sources

The government has produced a number

of other volumes interpreting Orange Book

requirements. These are known

collectively as the Rainbow Series, sinceeach has a different cover color.

7/29/2019 Lecture Notes 12 Fall 2010

48/48

Colors o f the Rainbow

These include: Red Book

Trusted Network Interpretation

Lavender Book Trusted Data Base Management System Interpretation

Green Book Password Management Guideline

Tan Book Guide to Understanding Audit in Trusted Systems

Purple Book Guidelines for Formal Verification Systems

Burgundy Book Guide to Understanding Design Documentation in Trusted Systems